locked
Problems with FIM 2010 topology: SPN, authN RRS feed

  • General discussion

  • Here is the problem:

    q1. Why do i get the error?

    q2. Whare and how can i get this done : Kernel-Mode authentication = Enabled (<attribute name="useKernelMode" type="bool"

    defaultValue="true" /> in the AplicationHost.config file) .

    I used the IIS- GUI: authentication\Windows integrated\advanced... Then verify that Kernel authN is checked. IS it the same?

    It's not written in the *.config files i found.


    ################ Error ##############

    - System

      - Provider

       [ Name]  Microsoft.ResourceManagement.PortalHealthSource
     
      - EventID 10

       [ Qualifiers]  0
     
       Level 2
     
       Task 0
     
       Keywords 0x80000000000000
     
      - TimeCreated

       [ SystemTime]  2011-02-12T11:53:43.000000000Z
     
       EventRecordID 2280
     
       Channel Application
     
       Computer SERVER1.horn.lan
     
       Security
     

    - EventData

       The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios

    from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server

    firewall configuration. Ensure the portal configuration is present and points to the resource management service.


    ##############   SPN Scenario #################

    SCENARIO 2b

    IIS 7.0 Web Site/Application  
    Authentication = Integrated Windows authentication
    Application Pool Identity = Custom account for e.g. Domain1\Username1
    Kernel-Mode authentication = Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the

    ApplicationHost.config file)
    Site URL Accessed with a Custom host/Host header name, like http://www.mysite.com


    SPNs is registered ONLY for the IIS machine account and NOT for Domain1\Username1 account unlike in IIS 6.0.

    DUMP
    C:\Users\guy>setspn -L server1
    Registered ServicePrincipalNames for CN=SERVER1,CN=Computers,DC=horn,DC=lan:
            http/fim
            http/fim.horn.lan
            WSMAN/SERVER1
            WSMAN/SERVER1.horn.lan
            TERMSRV/SERVER1
            TERMSRV/SERVER1.horn.lan
            RestrictedKrbHost/SERVER1
            HOST/SERVER1
            RestrictedKrbHost/SERVER1.horn.lan
            HOST/SERVER1.horn.lan

    ################ extra SPN ################


    DUMP
    C:\Users\guy>setspn -L fimsvc
    Registered ServicePrincipalNames for CN=fim service account,OU=Service accounts,
    DC=horn,DC=lan:
            FIMService/server1.horn.lan
            FIMService/server1
            FIMService/fim
            FIMService/fim.horn.lan

    FARM topology

    1. dc1: PKI, DC
    2. Exch2010: Exchange 2010, SQL2008 r2, synchronization server
    3. server1: Sharepoint 3.0. FIM & password portal

    ########### Sharepoint #############

    alternate access mapping:
    default = https://fim.horn.lan
    Authentication = Windows Kerberos.

     

     

    Saturday, February 12, 2011 12:34 PM

All replies

  • Guy,

    Kernel Mode AuthN is enabled by default for Windows Integrated AutN. You can verify it in the GUI like you say. It will only appear in the applicationHost.config if you toggle it off and on in the GUI. So if it's not present int he configfile, it's default, meaning it's on.

    I would turn on failure logging for logon events and try to see what's going wrong. You seem to have most of the stuff covered to get it working. kerberos debug logging might help too.

    Do you have delegation configured from your "application pool identity" account to the FIMService/... SPn's?

    Regards,
    Thomas


    http://setspn.blogspot.com
    Saturday, February 12, 2011 5:35 PM
  • Have you configured server1's computer account to delegate to the fimsvc SPNs?
    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    Saturday, February 12, 2011 6:27 PM
  • Thomas.

    I follow now scenario-2 from http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

    I turned all logging on and added Kerberos logging. Somehow with regedit.

    The delegation of FIMService/fim.horn.lan is given to horn\fimsvc. So i guess i did.

    I start the sharepoint app pool with horn\spsvc (dedicated service account)

    Now i'm checking if i implemented right the config in applicationHost.config: Kernel-Mode authentication = Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file)

    Thanks for helping me, Guy.

    Sunday, February 13, 2011 2:56 PM
  • Brian.

    I follow now scenario-2 from http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

    I added 2 delegations:

    1. FIMService/fim.horn.lan to horn\fimsvc (the FIM service account)

    2. http/fim.horn.lan  to server1 (the portal server)

    Thanks for helping, Guy

    Sunday, February 13, 2011 3:00 PM
  • This isn't correct.

    You need to configure Server1 to be able to delegate to horn\fimsvc (specifically FIMService/fim.horn.lan and FIMService/fim).


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    Sunday, February 13, 2011 5:03 PM
  • This isn't correct.

    You need to configure Server1 to be able to delegate to horn\fimsvc (specifically FIMService/fim.horn.lan and FIMService/fim).


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com


    Hallo Brian, Thanks. I'll try it asap. As i understand it i should type:

    setspn -S FIMService/fim.horn.lan horn\server1. Is that what you say?

    If... So you'r saying the scenario i refer to isn't right? Or i misunderstood it?

    It's the scenario the Technet manual refers to. If it's wrong maybe someone at Microsoft should know about it.


    GH
    Thursday, February 17, 2011 11:50 AM
  • No you are incorrect.

    You have to open AD Users & Computers, double click the "Server1" object and on the delegation tab add a delegation to the FIMService/fim.horn.lan SPN.
    However we are assuming that your application pool identity in IIS is configured as "network service". "Network service" means the identity of the server (server1) is used.

    If you have a custom AD user account, you have to configure delegation on this account.

     


    http://setspn.blogspot.com
    Thursday, February 17, 2011 12:26 PM
  • No you are incorrect.

    You have to open AD Users & Computers, double click the "Server1" object and on the delegation tab add a delegation to the FIMService/fim.horn.lan SPN.
    However we are assuming that your application pool identity in IIS is configured as "network service". "Network service" means the identity of the server (server1) is used.

    If you have a custom AD user account, you have to configure delegation on this account.

     


    http://setspn.blogspot.com

     

    Thomas,

    1. I 'trust' all relevat accounts through AD u&c.

    2. I start the  application pool with a dedicated domain\user.


    #######  FIM config ##############

    My whole  configuration is:

    custom-site-name = fim.horn.wan

    DNS record  = fim.horn.wan = CNAME to server1.horn.lan

    FIM Service account = fimsvc

    Sharepoint Application Pool Identity = horn\spsvc

    Sharepoint Alternate Access mappings: default = https://fim.horn.wan

    useKernelMode="true" in the ApplicationHost.config file)

    Site URL Accessed with a Custom host/Host header name, https://fim.horn.wan

    SPN:

    1. For the web site: http/fim.horn.wan >> to >> horn\server1

    Setspn -a http/<site-custom-name> <myIISserver-NetBIOS-name> where <myIISserver-NetBIOS-name> is the IIS machine account and <site-custom-name> is the custom host/host header name for the Web Site URL.

    2. For the FIM service: FIMService/fim.horn.wan >> to >> horn\fimsvc

    All relevat accounts, servers and users, are trusted for delegation through Ad U&C.


    #################################

     

    ########## Questions ###################


    There are few questions i'd like to verify:

    a. should i use a CNAME or A DNS record for the custom-site name:

    b.: should i install the fim site into https://'netbios-name' , https://'real'FQDN , https://custom-site-name , else?

    c. which Sharepoint alternate access setting should i use,considering answer to Q b?

    d. i got it working perfectly according to scenario 1b: http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx.
    ==>> can i change the config to scenario 2b (custom-site-name) without reinstalling FIM?

     


    With regards,
    Guy Horn

     

     


    GH
    Friday, February 18, 2011 1:16 PM